danabot | 14d1b1a276cc2ca724d2ad6eeb0d9090c456a3aa11ac80f977911496b3123a91

General

Target

14d1b1a276cc2ca724d2ad6eeb0d9090c456a3aa11ac80f977911496b3123a91.dll
Size

1.1MB
MD5

875071870de4fad3639b04a6b7f3f3fb
SHA1

f5b01b158aabbb104e53e6f4dc76a77b6a928848
SHA256

14d1b1a276cc2ca724d2ad6eeb0d9090c456a3aa11ac80f977911496b3123a91
SHA512

d79c173ae40880505d0d80ac638a973f05b2ee93bbfd910b79e4463bbc32a7a6d3bf023394a678ef56e7c831c8a7a629b5d4740d83d14c62d4b7a1b4a53b596e

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

64.188.12.140

64.188.19.39

151.106.53.109

172.245.247.101

185.136.167.142

242.61.5.230

184.74.28.43

118.227.95.92

37.240.137.117

185.181.8.49

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 9 IoCs

Processes:

rundll32.exe

flow	pid	process
1	808	rundll32.exe
2	808	rundll32.exe
4	808	rundll32.exe
5	808	rundll32.exe
8	808	rundll32.exe
9	808	rundll32.exe
12	808	rundll32.exe
13	808	rundll32.exe
14	808	rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1032 1600 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1032 WerFault.exe
1032 WerFault.exe
1032 WerFault.exe
1032 WerFault.exe
1032 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1032 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1032 WerFault.exe

pid	pid_target	process	target process
1032	1600	WerFault.exe	rundll32.exe

pid	process
1032	WerFault.exe
1032	WerFault.exe
1032	WerFault.exe
1032	WerFault.exe
1032	WerFault.exe

pid	process
1032	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1032	WerFault.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1604 wrote to memory of 1600	1604	rundll32.exe	rundll32.exe
PID 1604 wrote to memory of 1600	1604	rundll32.exe	rundll32.exe
PID 1604 wrote to memory of 1600	1604	rundll32.exe	rundll32.exe
PID 1604 wrote to memory of 1600	1604	rundll32.exe	rundll32.exe
PID 1604 wrote to memory of 1600	1604	rundll32.exe	rundll32.exe
PID 1604 wrote to memory of 1600	1604	rundll32.exe	rundll32.exe
PID 1604 wrote to memory of 1600	1604	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 808	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 808	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 808	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 808	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 808	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 808	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 808	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 1032	1600	rundll32.exe	WerFault.exe
PID 1600 wrote to memory of 1032	1600	rundll32.exe	WerFault.exe
PID 1600 wrote to memory of 1032	1600	rundll32.exe	WerFault.exe
PID 1600 wrote to memory of 1032	1600	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\14d1b1a276cc2ca724d2ad6eeb0d9090c456a3aa11ac80f977911496b3123a91.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\14d1b1a276cc2ca724d2ad6eeb0d9090c456a3aa11ac80f977911496b3123a91.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\14d1b1a276cc2ca724d2ad6eeb0d9090c456a3aa11ac80f977911496b3123a91.dll,f0
3⤵
- Blocklisted process makes network request
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 380
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/808-57-0x0000000000860000-0x0000000000981000-memory.dmp

Filesize
1.1MB

Download
memory/1032-59-0x0000000000370000-0x0000000000491000-memory.dmp

Filesize
1.1MB

Download
memory/1600-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/1600-55-0x00000000003A0000-0x00000000004C1000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing